Skip to content

Provide option to disable user namespaces#263

Merged
adrelanos merged 2 commits intoKicksecure:masterfrom
raja-grewal:max_user_namespaces
Aug 25, 2024
Merged

Provide option to disable user namespaces#263
adrelanos merged 2 commits intoKicksecure:masterfrom
raja-grewal:max_user_namespaces

Conversation

@raja-grewal
Copy link
Contributor

@raja-grewal raja-grewal commented Aug 16, 2024
edited
Loading

This pull request provides the option to disable user namespaces as per KSPP recommendation.

Changes

There are no changes to the functionality of the code.

Mandatory Checklist

  • Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

@monsieuremre
Copy link
Contributor

monsieuremre commented Aug 17, 2024

I have an objection. Since version 4 of AppArmor, a very strict userspace policy is enforced. This version came out recently and it is in the latest ubuntu release. When kernel.apparmor_restrict_unprivileged_userns = 1 is set, which it is by default, user name spaces are disabled completely for all processes: enforce mode, complain mode, unconfined, doesn't matter, it is disabled for everything. The only way to enable this feature for a program is to have a dedicated apparmor profile that has the line userns,. And by default, the apparmor package has a bunch of profiles for programs that legitimately need user name spaces, like for sandboxing. See here. With this, it is pretty much disabled for everyone except some select programs. So I don't see much benefit to disabling it completely like this. If I am missing a detail or am wrong about something, please correct me.

@raja-grewal
Copy link
Contributor Author

raja-grewal commented Aug 18, 2024

First to be clear, nothing new is being disabled,

Only the option to entirely disable user nammespaces is being provided which requires users to uncomment the sysctl. The option is being provided in order to highlight all KSPP recommendations which security-misc tries to incorporate.

I also agree that entirely disabling user namespaces by default is inappropriate since it will likely cause numerous unintended breakages. For example, this will (currently) break the UPower (1.90.4) systemd service [1, 2].

Additionally, I was not aware of the specific details relating to the most recent version of AppArmor so thank you for informing me about its updated functionality. Thanks to you I have updated the comments surrounding the sysctl.

However, I still do not see a reason not to provided the option?

@raja-grewal raja-grewal mentioned this pull request Aug 18, 2024
Merged
4 tasks
@adrelanos
Copy link
Member

adrelanos commented Aug 25, 2024

Yes. This is a comment only change. No settings change.

Could you please send another PR noncooperation the information which was added here? Breakage of upower. ...

@adrelanos adrelanos merged commit 73900b5 into Kicksecure:master Aug 25, 2024
@raja-grewal raja-grewal deleted the max_user_namespaces branch August 26, 2024 01:04
@raja-grewal raja-grewal mentioned this pull request Sep 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raja-grewal @monsieuremre @adrelanos

Comments